Migrating a Kerberos Realm
Ken Raeburn
raeburn at MIT.EDU
Thu Nov 2 23:14:31 EST 2006
On Nov 2, 2006, at 17:48, Henry B. Hotz wrote:
> OTOH, it sounds like a fun idea to me. Do the cryptosystem RFC's
> specify the default salt?
Actually, the default salt, derived from the realm and principal
name, is specified in the main Kerberos protocol document, and is
invariant across cryptosystems; the cryptosystem RFCs don't know
anything about principal names or realm names. What gets done with
the salt string is defined per cryptosystem, though.
Using a fixed per-principal salt string allows an attacker to convert
a standard password-cracking dictionary into a set of keys for a
given principal, and try that set of keys repeatedly despite the user
changing her password. If the salt string (which is supposed to be
UTF-8 if I recall correctly) is randomized and long enough, then any
key of N bits should be possible[*] even if the password is in the
dictionary, and the attacker can only precompute his key list for a
given salt string. So it's probably worth considering despite the
bugs of one implementation.
Ken
[*] Assuming the cryptosystem actually uses the salt string, and
incorporates it properly, of course. The RC4 cryptosystem, for
example, does not use it, and thus the key is derived from the
password alone, and a dictionary can be converted to keys that can be
tried for any user in any realm.
More information about the Kerberos
mailing list